exabeam_data_lake_query.py

# Example Exabeam Data Lake Query via Python
# 
# Jonathan Harms
# Octagonal Consulting
# jh@octagonal.consulting

import json
import requests

# put in whatever JSON you like - below does not work without fixing bits and pieces
example_query = json.loads('''
{
    "clusterWithIndices": [
        {
            "clusterName": "local",
            "indices": [
                "exabeam-2022.12.20"
            ]
        }
    ],
    "query": "frogger",
    "filteredTables": [
        {
            "in": true,
            "field": "src_ip",
            "tableName": "cs_ip_threat"
        }
    ],
    "docValues": [
        "indexTime"
    ],
    "source": true,
    "queryAnalyzeWildcard": true,
    "queryDefaultField": "message",
    "storedFields": [
        "*"
    ],
    "highlight": true,
    "size": 500,
    "sortBy": [
        {
            "field": "indexTime",
            "order": "desc",
            "unmappedType": "date"
        }
    ],
    "rangeQuery": {
        "field": "indexTime",
        "lte": "1671531319105",
        "gte": "1671530419105"
    },
    "dateHistogramAggr": {
        "field": "indexTime",
        "interval": "30s",
        "timeZone": "Australia/Adelaide"
    }
}
'''
)

base_url = "https://yourinstance.dl.exabeam.com"

r = requests.post(
    url = '%s/dl/api/es/search' % base_url,
    json = example_query,
    timeout = 600,
    headers = {
        'ExaAuthToken'  : "get the authorization token from DL's settings and put them here"
    }
)

if r.status_code == 200:
    # response_data has a dictionary of the JSON which you can access
    response_data = json.loads(r.text)